tkip IV
Last Post: October 13, 2006:
-
Hi Fmedina:
I agree.
TKIP uses a 48 bit per-MPDU TKIP sequence counter (TSC) to sequence the MPDUs it sends. TKIP assigns a monotonically increasing TSC value to each MPDU. The TSC is used for mundane frame replay protection not provided by WEP, and to solve the problem of weak WEP initialization vectors (IV) through exotic key mixing.
TKIP encodes the low order 16 bits of the TSC value from the sender to the receiver in two of the three IV octets of the old 32 bit IV/KeyID field of the encryption header. The third octet is essentially padded. The result is that the IV component of the IV/KeyID field rolls over with every 65536 encrypted MPDUs arriving from a given link partner while the rest of the TSC for that link partner increments by one.
The high order 32 bits of the TSC value is encoded in the new 32 bit Extended IV field of the frame header. Because of these field names it is easy to see why people say that TKIP uses a longer IV than WEP does. It would be more accurate to say that TKIP uses no initialization vectors but stores its TCS in fields named IV and Extended IV, but I don't recommend trying this in polite company.
TKIP uses a cryptographic mixing function to combine a 128 bit temporal key, the 48 bit target MAC address (TA), and the 48 bit TSC into the 128 bit WEP seed used for a single MPDU and any required retransmissions of that MPDU. The receiver, which already possesses its MAC address and the pairwise temporal key, recovers the 48 bit TSC from a received MPDU and utilizes the mixing function to compute the same 128 bit WEP seed needed to correctly decrypt the MPDU.
TKIP represents the 128 bit WEP seed as a 24 bit WEP IV and 104 bit RC4 key and passes these with each MPDU to the WEP process for generation of the ICV and for encryption/decryption. In contrast to the WEP-104 cipher suite which uses a fixed 104 bit secret key and a 24 bit monotonically increasing IV, TKIP's corresponding 104 bits change values wildly (so wildly that hopefully only possessors of the current pairwise temporal key can predict it) and its corresponding 24 bits cycle through a mere 65536 possible values.
Meanwhile the CCMP cipher suite uses a 48 bit packet number (PN) incremented by a positive number for each MPDU, munged into a nonce, then used along with additional authentication data (AAD) munged from information carried in the MPDU header, and a session specific temporal key to create the cipher text and MIC. The 8 octet CCMP Header takes the place of the IV and Extended IV subfields but contains the six octets of the PN in the same positions as before.
With RSNA security WEP encryption keys that seldom if ever change and 24 bit WEP initialization vectors that easily roll over are both gone, replaced by session specific temporal keys and nonces based on information carried in the MPDU header including 48 bit TSCs and PNs.
I hope this helps. Thanks. /criss
- 1